On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into effect. The GDPR establishes some of the most robust privacy requirements globally and is likely to be a model followed by other jurisdictions. Airlines are uniquely affected by the GDPR with passenger data being at the heart of their business and international operations. As new technologies allow airlines to pursue new and innovative uses of customer data, it is imperative that airlines continue to conduct their operations with GDPR compliance in mind, particularly given the financial and other reputational issues that can arise for a failure to meet the GDPR’s strict requirements.

Below are 5 key issues for airlines to consider in relation to the GDPR post-implementation.
Continue Reading GDPR: Top 5 Post-Implementation Issues for Airlines

Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers.  The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber AIR”) Act were each introduced but not enacted in a previous session of Congress.  In a joint press release, the Senators noted that the legislation was designed to “implement and improve cybersecurity standards for cars and aircraft.”

The SPY Car Act

The SPY Car Act would require cars manufactured for sale in the U.S. to comply with “reasonable measures to protect against hacking attacks,” including measures to isolate critical software systems from non-critical systems, evaluate security vulnerabilities, and “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”  It would also require “driving data” collected by cars to be “reasonably secured to prevent unauthorized access,” including while such data is in transit to other locations or subsequently stored elsewhere.  Violations of these cybersecurity requirements are subject to civil penalties of up to $5,000 per violation.
Continue Reading Senators Reintroduce Cybersecurity Legislation for Cars and Planes

Earlier this week, the U.S. Department of Transportation’s Advisory Committee on Aviation Consumer Protection (“ACACP”) held a meeting in Washington, D.C. to discuss data privacy and security issues relevant to the aviation industry.  The meeting featured presentations by representatives of the airlines, travel agents, online travel agents, global distribution systems (“GDS”), and consumers. According to ACACP committee member Charles Leocha, this week’s meeting marked the first time that the Federal Trade Commission (“FTC”), the Department of Transportation (“DOT”), and the air travel industry had come together to discuss consumer privacy — a discussion he said was “long long overdue.” In his opening remarks, Leocha characterized travel data as “some of the most sensitive and intimately revealing” consumer data, and expressed optimism that the meeting would be “step one” towards establishing a DOT privacy rule or guidance on best practices.

At the meeting, Robert Gorman, a Senior Attorney from the DOT presented on the Department’s authority to enforce privacy rules and regulate unfair and deceptive trade practices by air carriers.  He suggested that the Department would likely determine that a privacy violation rose to the level of an unfair or deceptive trade practice where a company:

  • Violated the terms of its consumer-facing privacy policy;
  • Disclosed personal information in a manner that violates public policy, is immoral, or causes substantial consumer injury not offset by any countervailing benefit;
  • Violated a rule where such violations are considered unfair or deceptive trade practices; or
  • Violated the Children’s Online Privacy Protection Act (COPPA), which the DOT has the authority to enforce against air carriers.

Gorman reported that he and his colleagues were not aware of receiving any complaints against air carriers for violating consumer privacy, but stated that the DOT is considering whether to issue guidance on complying with COPPA.Continue Reading Department of Transportation Meeting Focuses on Data Privacy in Air Travel